Monday, November 4, 2013

Daily Blog #134: Sunday Funday 11/3/13 Winner!

Hello Reader,
           Another Sunday Funday has come and gone with a range of good responses to choose from. Choosing this weeks winner was hard as I had some good submissions that went into depths on different parts of their investigative process. I choose this weeks winning answer over the other submissions due to its good details, I'm a sucker for screen shots and focus on deletion related activity. This was a tough choice and I look forward to making more tough choices as the answers to these contests keep getting better!

The Challenge:
A shared Windows 2008 R2 terminal server was setup allowing employee's to work from home without requiring VPN access. On that server several files used by a department suddenly got deleted and no one is taking responsibility. What would you do to determine what user deleted the files with the assumption that they RDP'd in to do so?

The Winning Answer:
Darren Windham

1.) First I would review the $Recycle.bin folder for the volume where the files were stored. By default these will be hidden and you will need to change your explorer settings to show hidden/system files.

2.) For my testing I created a file in D:\Sunday Funday\ called deleteme.txt and deleted the file via an RDP session.

3.) Using an admin command prompt I then went to the D:\$RECYCLE.BIN folder and did a dir /s /b and got the following:

4.) Here we can see the %SID% folder where %SID% is the SID of the user that performed the deletion and there are two files where the original file has been renamed to $R and some random characters. We can also see a similar named file but starting with a $I that contains the the original directory name, date/time deleted and size but this file is not plain readable text as shown below

5.) Some commercial tools like Encase and FTK can parse these to readable text but you can also use a hex editor and the following file structure
Bytes 0-7: $I File header – always set to 01 followed by seven sets of 00.
Bytes 8-15: Original file size – stored in hex, in little-endian.
Bytes 16-23: Deleted date/time stamp – represented in number of seconds since Midnight, January 1, 1601. Use a program such as Decode to assist with figuring out the exact date/time, if you don’t want to do the math
Bytes 24-543: Original file path/name.

6.) Then to tie the SID to a specific user we can look in this case since it is not a domain server at the registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList we can see what user account has the -1001 SID (HECF)

7.) You can also review windows security event logs for event ID type 4624 for successful login around the time in question and look for a successful login from HECF
I do need to give credit to Derek Netwon and this blog post of his that had some great info on the newer (post INFO2 file) recycle bin.

End of Winning Answer
There you have it, another Sunday Funday ended and good information learned not only from the winning answer but public submissions as well like the great one from Harlan Carvey.